How Data Security Breaches Hit the Bottom Line

When it comes to consumer opinion, don’t count on it. According to a recent survey, only eight percent of consumers who receive a security breach notification do not blame the organization that suffered the breach. In addition, 19 percent of consumers who received a notification took their business elsewhere, and 40 percent were considering doing so.

Simply put, “companies lose customers when a breach occurs,” notes Larry Ponemon, founder and head of the Ponemon Institute, which conducted the survey. Almost 10,000 American adults took part, and 1,100 of them had received a security-breach notification stating that their personal information may have been compromised.

Overall, “86 percent of security breaches involved the loss or theft of customer or consumer information,” notes Ponemon, and “about 14 percent involved employee, student, medical, and taxpayer data.” For consumers, the highest number of security notifications came from banks, followed by credit card companies and governmental organizations—including state universities, and healthcare providers.

From Breach to Lawsuit

Post-notification, some customers don’t just take their business elsewhere: five percent say they’ve hired a lawyer. According to a statement by David Bender, co-head of the privacy practice at New York-based White & Case LLP, which sponsored the survey, “Five percent may not seem like much, until you realize that anywhere between 23 million and 50 million Americans have received notification of a data security breach. That means that over one million people out there are likely seeking legal counsel.” Already, security-breach notifications in California have resulted in class-action lawsuits.

While customer ire over their personal information being compromised is predictable, organizations’ notification techniques often don’t help. For example, according to Ponemon, when a consumer receives a security-breach notification, “over 39 percent of respondents initially thought the notice was junk mail, spam, or a telemarketing phone call.” Furthermore, half of respondents said the notice they received was difficult to understand, and 39 percent “the message conveyed by the organization about the data security breach” was not “honest and believable.”

Another interesting finding is that consumers want tougher notification requirements. According to the survey, “about 59 percent of respondents do not have confidence in U.S. state or federal regulations to protect the public from data security breaches by organizations.” Four in five respondents also think organizations should always have to disclose security breaches, even when information is encrypted or no information was stolen, and regardless of the type of information involved in the breach. Still, only 22 percent of respondents said they understand what encryption is.

Preparations and Politeness Pay Off

How can organizations better prepare for and respond to security breaches?

First, “the company should use appropriate security practices and should conduct a privacy audit,” notes Bender. “In the event a breach occurs, the survey suggests that the company should send each victim a notification that is timely, is written in clear language free of technical or legal jargon, is detailed enough to describe what has happened, and that offers a victim assistance hotline.”

According to the survey, companies that notify consumers of the breach via telephone or personalized letters—or both—are three times less likely to lose customers than organizations which just send e-mails or form letters.

In short, politeness and thoroughness count. “Companies taking pains to handle the breach correctly lost the fewest customers,” notes Bender.

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.